New Mac Defender malware variant drops admin password requirement

There's a new variant on the Mac Defender malware that appears to be making …

Move over Mac Defender—there's a new malware variant in town, and it doesn't require the administrator password for installation. Security research firm Intego issued a new warning to Mac users on Wednesday, heavily cautioning users that a new variant on Mac Defender, called Mac Guard, is making the rounds via SEO poisoning online.

Intego initially warned users about a fake antivirus program called MAC Defender (it has since gone through several name and capitalization changes) earlier this month. The Mac-like app posed as an antivirus program and asked users for their credit card numbers in order to purge viruses on their machines or protect them from new ones. Although Intego initially gave Mac Defender a low risk rating because of its admin password requirement, it soon became apparent that Mac Defender was indeed beginning to make the rounds among the Mac-using community. We spoke with a number of third-party support reps, as well as several Apple Store Geniuses, who vouched for an apparent increase in Mac Defender malware reports.

When we spoke with Intego spokesperson Peter James last week, he pointed out that he initially saw a new Mac Defender variant every 12 to 24 hours, but eventually stopped seeing new versions. He warned that the creators could be revamping the malware to stay under the radar of legit antivirus software or to find new ways to poison users' machines. Now with the availability of Mac Guard, that indeed seems to be the case.

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed," Intego wrote on its blog. "This package installs an application—the downloader—named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind."

Once again, the company advises users to turn off "Open 'safe' files after downloading" in their Safari preferences, since this malware (and others like it) are making their way onto users' computers via maliciously crafted URLs.

Apple itself acknowledged Mac Defender yesterday in a support document. The company promised to issue a software update that would automatically remove the malware and its variants, but also listed out instructions for how to remove it. We can only assume (or hope, at least) that Apple will include Mac Guard when it gets around to issuing that update, but in the meantime, Intego also offers its own VirusBarrier X6 tool to help remove it.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed,"

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed,"

How convenient.

I'd like to know which Applications folder is being talked about here: The global one, or the user's own.

(Although I think at least any admin can install to the global Applications folder without a password.)

"Since any user can install software in the Applications folder, a password is not needed"

Not true, only users associated with the admin group can add things to /Applications folder. Now if your user is allowed to administer the system then you are part of that group (first users created on a system is defaulted to allow administration of the system). The general recommendation is to have the first user on the system be reserved for admin tasks and to use a secondary user login for your typical daily usage.

Of course you don't have to put an application in /Applications folder to be runnable.

I am pretty sure I need an administrator password to install apps in the Application folder (although, I am not sure if this is enabled/disabled by default).

Besides, as another commentator mentions, you don't need to install an app in the application folder to execute it. An admin can setup the mac so that this is necessary, but I doubt any home Mac user does this.

End of the day, if you install applications which do bad things, there is nothing Apple, MS, etc. can do to save you. The best way to combat this problem is the one Apple is taking, by encouraging users to use the App Store, but of course, all that does is bring out cries of "Evil". (That being said, if Apple prevents the installation of Apps from outside the Mac App Store, which I HIGHLY doubt, then my Ubuntu box will be seeing a lot more time).

LOL, 2 trojans on the Mac platform, is this the best these hackers can do? Meanwhile, 140,000 confirmed viruses for Windows.

Uhh no! The Defender found 142 at least on this guy's computer.

Lol!

So, what's the percentage of Mac users that use Safari by default? I use mostly Chrome on my Mac(s) with the occasional Firefox. I've never seen an option to automatically run files in either of those, so I'm either very lucky that it's disabled by default, or it doesn't exist.

Hey, why wait for the Apple Defense Ministers to come, when we can just look all the Apple Haters that have been completely wrong about the supposed virus epidemic that was supposed to hit the Mac platform EVERY YEAR for the past ten years. Let's look at that list, shall we?

2003

"The truth is that the Mac OS is just as vulnerable as Microsoft Windows."—Lance Ulanoff, Security, IT Hub.

2004

"Windows is more secure than you think, and Mac OS X is worse than you ever imagined."—Matthew Broersma, Techworld.

2005

"The naming of Apple's Mac OS X to the list of latest warning from security experts to users that Apple's operating system is not immune to threats."—Robert Lemos, Security Focus

"Attacks on Apple's OS X operating system, thought by many who use the Mac to be virtually immune from hackers, are on the rise, according to a report from Symantec, an anti-virus software vendor."—Wired.

2006

"Several security researchers have predicted that 2006 will be the year Mac OS X loses its image as a "safe" operating system."—Matthew Broersma, Techworld.

"There will be a significant rise in virus attacks on both the Mac and open-source platforms, according to renowned security expert, Eugene Kaspersky."—Barry Collins, PC Pro.

"After years of relative safety in obscurity, the Apple Mac is becoming an increasingly tempting target for malicious computer hackers, according to a new report published this week."—Kevin Allison, Financial Times.

The reality is that the era of serene isolation is ending, partly because of technical changes that increase a Mac's vulnerability to infected documents-and even programs—originally created on a PC."—James Fallow, The Atlantic.

2008

"With Apple's market share now around 8.5 percent and growing quickly, with sales of almost 2.5 million last quarter these Mac newbies are a tempting target for profit-minded cybercriminals."—Dwight Silverman, Chron.com.

"Macintosh computers have been gaining market share and catching the interest of hackers, according to Zero Day Initiative (ZDI) security vulnerability analyst Cameron Hotchkies."—Glenn Chapman, Yahoo.

2009

"For years, Apple fans have claimed that Macs are invulnerable to attack, while belittling Windows as being full of security holes. Now the tables are turned."—Preston Gralla, Computerworld.

"According to a new article by CNN, Mac users now have something to worry about when it comes to security. Mac computers are known for their near immunity to malicious computer programs that plague PC’s."—Shawn Moniz, Shawn's Technology spot.

2010

"Mac and iPhone users may think they are immune from viruses and malware, however as the operating system becomes more popular more cybercriminals will be attracted to this growing base," warned Symantec's product development director, Con Mallon." —Jonny Evans, Computerworld.

LOL, after all these predictions, the best that you guys have been able to do is a couple of trojans (not viruses by the way) that users have to actively install for them to be able to work. We've been seeing Mac trojans, usually the same 2 at a time variety every year and there's still no epidemic.

"Since any user can install software in the Applications folder, a password is not needed,"

This is true if the user is an administrator. If not, it isn't ... you'll be prompted for an administrator password if you try to drag-and-drop, and if you're doing lower-level file access it will simply fail.

There isn't really much reason for your user account to have administrator privileges, and it's a very good idea not to set up day-to-day accounts with them. Things that need admin privileges prompt you for an admin account and password so it's not difficult to deal with unprivileged accounts.

It was only a matter of time. As more and more users start to move to the Apple OS, you're going to see more and more of this sort of thing. Mac users also generally aren't the most tech savvy users. Sure, there are some that use it because of it's BSD roots, these happen to be the more tech savvy users, but the majority are buying into the hip factor and the "ease of use" (although there isn't really anything easier about it than any other OS out there, but that's another story), not because they know how to use a computer well or have much common sense when it comes to clicking on ads or visiting phishing sites.

There be a shitstorm a brewin'. "Macs don't get viruses." HAHAHA! Finally at least this nonsensical fallacy will be left for dead.

I am pretty sure I need an administrator password to install apps in the Application folder (although, I am not sure if this is enabled/disabled by default).

Besides, as another commentator mentions, you don't need to install an app in the application folder to execute it. An admin can setup the mac so that this is necessary, but I doubt any home Mac user does this.

End of the day, if you install applications which do bad things, there is nothing Apple, MS, etc. can do to save you. The best way to combat this problem is the one Apple is taking, by encouraging users to use the App Store, but of course, all that does is bring out cries of "Evil". (That being said, if Apple prevents the installation of Apps from outside the Mac App Store, which I HIGHLY doubt, then my Ubuntu box will be seeing a lot more time).

Excellent points, the hypocrisy comes from the fact that Mac users have been blaming Microsoft for not patching stupidity and now that their own numbers are approaching critical mass for the hacking community the shoe may soon be on the other foot. I use Linux primarily but do have a Windows box for graphics work (Photoshop, Illustrator, Pencil, etc.) and have managed to stay virus free for years by exercising a modicum of common sense. Firefox + AdBlock + NoScript is a godsend.

Hey, why wait for the Apple Defense Ministers to come, when we can just look all the Apple Haters that have been completely wrong about the supposed virus epidemic that was supposed to hit the Mac platform EVERY YEAR for the past ten years. Let's look at that list, shall we?

2003

"The truth is that the Mac OS is just as vulnerable as Microsoft Windows."—Lance Ulanoff, Security, IT Hub.

2004

"Windows is more secure than you think, and Mac OS X is worse than you ever imagined."—Matthew Broersma, Techworld.

2005

"The naming of Apple's Mac OS X to the list of latest warning from security experts to users that Apple's operating system is not immune to threats."—Robert Lemos, Security Focus

"Attacks on Apple's OS X operating system, thought by many who use the Mac to be virtually immune from hackers, are on the rise, according to a report from Symantec, an anti-virus software vendor."—Wired.

2006

"Several security researchers have predicted that 2006 will be the year Mac OS X loses its image as a "safe" operating system."—Matthew Broersma, Techworld.

"There will be a significant rise in virus attacks on both the Mac and open-source platforms, according to renowned security expert, Eugene Kaspersky."—Barry Collins, PC Pro.

"After years of relative safety in obscurity, the Apple Mac is becoming an increasingly tempting target for malicious computer hackers, according to a new report published this week."—Kevin Allison, Financial Times.

The reality is that the era of serene isolation is ending, partly because of technical changes that increase a Mac's vulnerability to infected documents-and even programs—originally created on a PC."—James Fallow, The Atlantic.

2008

"With Apple's market share now around 8.5 percent and growing quickly, with sales of almost 2.5 million last quarter these Mac newbies are a tempting target for profit-minded cybercriminals."—Dwight Silverman, Chron.com.

"Macintosh computers have been gaining market share and catching the interest of hackers, according to Zero Day Initiative (ZDI) security vulnerability analyst Cameron Hotchkies."—Glenn Chapman, Yahoo.

2009

"For years, Apple fans have claimed that Macs are invulnerable to attack, while belittling Windows as being full of security holes. Now the tables are turned."—Preston Gralla, Computerworld.

"According to a new article by CNN, Mac users now have something to worry about when it comes to security. Mac computers are known for their near immunity to malicious computer programs that plague PC’s."—Shawn Moniz, Shawn's Technology spot.

2010

"Mac and iPhone users may think they are immune from viruses and malware, however as the operating system becomes more popular more cybercriminals will be attracted to this growing base," warned Symantec's product development director, Con Mallon." —Jonny Evans, Computerworld.

LOL, after all these predictions, the best that you guys have been able to do is a couple of trojans (not viruses by the way) that users have to actively install for them to be able to work. We've been seeing Mac trojans, usually the same 2 at a time variety every year and there's still no epidemic.

Where's the epidemic you promised, Apple Haters?

Nice cherry picking, I don't see how that was supposed to bolster your credibility though.

The open safe files feature is only a minor short cut for malware, users can still be tricked into downloading bad things and running them without any care about the safe files feature.

Safe files opening an installer which prompts the user before doing anything isn't a big problem IMHO, it is that folks will click OK far to easily.

...signed installers / applications from a trusted source(s) known to the OS and expanded use of sand boxing (/me looks at Lion) will help deal with this, you can help users protect themselves with that type of stuff in place (normal pathways don't flag so users don't get used to clicking OK).

"Since any user can install software in the Applications folder, a password is not needed,"

This is true if the user is an administrator. If not, it isn't ... you'll be prompted for an administrator password if you try to drag-and-drop, and if you're doing lower-level file access it will simply fail.

There isn't really much reason for your user account to have administrator privileges, and it's a very good idea not to set up day-to-day accounts with them. Things that need admin privileges prompt you for an admin account and password so it's not difficult to deal with unprivileged accounts.

Most home users aren't going to know the difference. They're going to have an account with admin privileges, just because it was set up that way.

Brass2TheMax wrote:

It was only a matter of time. As more and more users start to move to the Apple OS, you're going to see more and more of this sort of thing. Mac users also generally aren't the most tech savvy users. Sure, there are some that use it because of it's BSD roots, these happen to be the more tech savvy users, but the majority are buying into the hip factor and the "ease of use" (although there isn't really anything easier about it than any other OS out there, but that's another story), not because they know how to use a computer well or have much common sense when it comes to clicking on ads or visiting phishing sites.

There be a shitstorm a brewin'. "Macs don't get viruses." HAHAHA! Finally at least this nonsensical fallacy will be left for dead.

They don't get viruses unintentionally, at least for the time being. This still requires an action from the user in order to affect your machine, albiet much less interaction than before.

Once they figure out a way to bypass Safari's "Autoopen Safe File" guard, THEN the shitstorm will be a brewin'.

And for Paul Chapel - Please go away. Nobody cares about your rabid fandom. OSX may be less secure out-of-the-box but it still largely benefits from security through obscurity. I am surprised that no hacker has released a virus into the wild for the lulz, but it seems that malware authoring has become more of an economic activity. Congrats for giving all Mac users a bad name and proving that some stereotypes (pretentious twits, etc.) can be true.

The majority of those aren't promising an epidemic. They're merely stating that the notion of being immune is wrong and the lack of malware is based on other factors. If anything, the appearance of malware pretty much proves this.

Nope, literally every year a Mac trojan comes out and the same "the sky is falling" type articles make their rounds on tech sites. Remember the trojan that was included in a pirated version of iWork 2009?

You know what these trojans have in common? You don't hear crap about them for more than a few weeks after they are introduced because trojans don't create epidemics. Viruses on the other hand, do. And no one has successfully created a virus for Mac OS X.

It's hard for software companies to get customers to update their legit software. You really think you're going to create an epidemic trying to trick people into installing malware? LOL, good luck with that.